Law enforcement may be able to work around iOS 11.4.1 Lightning port restrictions … using a dongle

iOS 11.4.1 (and iOS 12) include new line of defence against a type of security hack aimed at brute-forcing access to iPhones and iPads. The Grayshift boxes plug into the Lightning port and remove prolonged delays between PIN code attempts, allowing law enforcement (or criminals) to brute-force an unlock.

The new USB Restricted Mode in iOS 11.4.1 simply prevents any USB accessories from connecting if the phone has not been unlocked in the last hour. As it typically takes more than a hour to get a warrant for police to be allowed to use a Grayshift box, this is quite a significant roadblock. However, ElcomSoft note that the behaviour can be worked around in some cases …

As a concession to user convenience, the restrictions on the Lightning port only comes into effect if the Lightning port is not currently being used, and the device has not been unlocked for more than a hour.

What ElcomSoft note is that any USB accessory can be plugged into the iOS device within the hour safe window, and this prevents the timeout from ever being reset. This means law enforcement agencies simply need to connect the phone to an accessory as soon as the suspect is apprehended, and leave it connected as they transport the device to a facility for data extraction.

They suggest using the $39 Apple Lightning USB3 Camera Adapter. The dongle allows for pass-through power, which will stop the iOS device from running out of charge in transport.

Importantly, this technique would only work if the iOS device is not already in USB Restricted Mode when captured. Naturally, due to how often people use their iPhones, it is uncommon for the device not to have been unlocked in the last hour. Law enforcement could also tactically observe a suspect, waiting for them to unlock their phone at least once, before apprehending them. (The 1-hour timeout does help with cases where an iOS device has simply been lost, and someone nefarious comes along and picks it up and attempts to brute-force entry.)

What ElcomSoft describes isn’t a vulnerability per se, it’s just a relatively-straightforward workaround for how the feature works. In future iOS releases, it may make sense for Apple to make the policies more stringent, by only prolonging the timeouts for accessories that have been previously authorised as trustworthy. Limitations in the MFI specification may make this easier to say than do however.

It’s worth pointing out that if you would like to immediately require authorisation for USB accessories, you can do the same trick that disables Face ID and Touch ID temporaily: simply hold down the side buttons until the ‘Slide to power off’ screen appears. This immediately makes the device restrict the Lightning port to charging only.

A really interesting tidbit from the ElcomSoft report is that since iOS 11.4, Grayshift’s boxes are already weakened significantly. Apparently, during a forensic security presentation, Grayshift said that they can now only request passcodes once every ten minutes, since the iOS 11.4 update. This is still lower than what iOS typically allows (where delays between attempts escalate up to an hour), but makes brute-forcing much harder.

Well, better to ask GrayShift. But that’s what we learned from their presentation on recent mobile forensic conference…

— ElcomSoft (@ElcomSoft) July 10, 2018

With a password attempt every ten minutes, it could take up to 1600 hours to crack a 4-digit passcode — that’s two months. With a 6-digit passcode, the new iOS default standard, it is practically unfeasible to attempt a brute-force attack at a rate of one attempt per ten minutes. It could take up to 19 years.

Apple hasn’t confirmed the once-every-ten-minute limits, but if true, that’s a really big problem for companies like Grayshift … and a really good thing for customers who just want their devices to be as secure as possible. Security is always a moving target — we’ll have to see how the iOS cracking industry responds to Apple’s latest defences.

You can follow iPhoneFirmware.com on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Apple and the Web.